Three Arrested in Sony Rootkit Virus Case

June 27, 2006

Three Arrested in Sony Rootkit Virus Case

Police in London have arrested three men suspected of writing a virus that infected computers containing the Sony BMG anti-piracy code.

Wall Street Journal columnist Jeremy Wagstaff, writing today in his personal blog, Loose Wire, calls attention to an interesting link between the arrest of three suspected hackers in the United Kingdom and Finland and the Sony BMG “rootkit” scandal, which I wrote about in the July/August Technology Review cover story.

The men – a 63-year-old from England, a 28-year-old from Scotland, and a 19-year-old from Finland, according to a June 27 story in the Times of London – are suspected by London’s Metropolitan Police Computer Crime Unit of writing a computer virus variously known as Ryknos, Breplibot, and Stinx, which allegedly turned infected machines into “zombies” that the men could use to generate thousands of spam e-mails. Wagstaff seems to be the first to note that Stinx is the same virus that gained entry to PC operating systems via a hidden rootkit directory created when computer owners played one of 52 copy-protected music CDs released by giant record label Sony BMG in 2005.

As our TR story explained, software engineers hired by Sony BMG employed a rootkit (a common tool of the hacker underground) only to cloak software code that prevented CD buyers from burning more than three copies of their discs or sharing them with others. But security experts who discovered the rootkit on Sony BMG CDs last fall warned that it could also be exploited by hackers to hide viruses, Trojan horses, and other malware.

And, sure enough, within weeks after a public furor erupted over Sony BMG’s action, anti-virus firms detected a virus spreading on the Internet – Stinx – that had obviously been written by hackers who were aware of the vulnerability. Anybody who neglected to download and run Sony BMG’s emergency uninstaller after playing a copy-protected CD was defenseless against Stinx. (The virus’s profile has now been incorporated into most anti-virus programs, meaning the threat has largely passed – but Sony BMG customers should still run the uninstaller.)

Now we may know who’s behind Stinx. Wagstaff comments: “If those detained were involved, it’ll be interesting to hear what they’ve got to say about the Sony rootkit.” Indeed. The arrests should be seen as confirmation that if a piece of commercial software contains a security hole, hackers will discover and exploit it – which puts a much greater responsibility on software distributors than Sony BMG was willing or able to bear.

[And a note of thanks to WSJ’s Wagstaff for plugging TR’s feature story.]